Privacy Policy

1. Introduction

Welcome to BakkMe ("BakkMe," "we," "us," or "our"). BakkMe is a social platform that connects people through social media features, fundraising and charitable campaigns, payment processing, live streaming, group communities, messaging, and creator monetization tools. Our mobile application (package name: com.bakkme.app (Android) / com.bakkme.io (iOS)) and related services are collectively referred to as the "Service."

This Privacy Policy describes how we collect, use, disclose, store, and protect your personal information when you use our Service. It applies to all users of the BakkMe mobile application, our website, and any associated services or features.

By accessing or using BakkMe, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices described herein, please do not use our Service.

Scope: This policy applies to personal data processed by BakkMe regardless of the country or territory from which you access the Service. We comply with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable privacy legislation.

2. Information We Collect

We collect information to provide, improve, and personalize our Service. The types of information we collect depend on how you interact with BakkMe.

2.1 Personal Information You Provide

When you create an account or use certain features, you may provide us with:

Account information: Full name, email address, phone number, date of birth, username, and password.
Profile information: Profile photo, biography, gender, location, and any other details you choose to add to your public or private profile.
Communications: When you contact us for support or provide feedback, we collect the content of your messages and any attachments.

2.2 Account Verification and KYC Data

For certain features, including fundraising campaigns, creator monetization, and payment payouts, we may require identity verification in compliance with Know Your Customer (KYC) and anti-money laundering (AML) regulations. This may include:

Government-issued identification documents (e.g., passport, driver's license, national ID card).
Proof of address documents (e.g., utility bill, bank statement).
Selfie or biometric facial scan for identity matching.
Tax identification numbers where legally required.

Note: KYC verification is processed through our secure identity verification partners. We retain only the verification status and a reference identifier; original identity documents are securely handled in accordance with applicable regulations.

2.3 Payment Information

BakkMe enables wallet top-ups, peer-to-peer payments, donations to fundraising campaigns, and creator payouts. Payment processing is handled by Stripe, our third-party payment processor.

What Stripe collects: Credit/debit card numbers, bank account details, billing address, and other financial data necessary to process transactions.
What BakkMe stores: Transaction history, payment amounts, dates, recipient/sender identifiers, and tokenized references provided by Stripe. We do not store your full credit card numbers, debit card numbers, or bank account numbers on our servers.
Payout information: If you receive payouts (e.g., as a fundraiser organizer or creator), we may collect your bank account information or payment method details via Stripe Connect.

Important: All sensitive payment data is tokenized and encrypted by Stripe in compliance with PCI DSS (Payment Card Industry Data Security Standard). BakkMe never has access to your full card details.

2.4 Content You Create

When you use BakkMe, you may create and share various types of content, including:

Posts and stories: Text, images, videos, and other media you publish on your feed or stories.
Messages: Text messages, voice messages, images, videos, and files shared through our chat and messaging features.
Fundraiser details: Campaign titles, descriptions, goals, images, updates, and related content for charitable fundraising campaigns.
Comments and reactions: Comments, likes, and other interactions with content on the platform.
Live streams: Audio and video content broadcast through our live streaming features.
Group content: Posts, media, and discussions shared within groups and communities.

Media content (images, videos, audio) is stored using Firebase Storage (provided by Google) and may also be processed through our content delivery infrastructure.

2.5 Usage Data

We automatically collect information about how you interact with our Service, including:

Features you use and actions you take (e.g., posts viewed, content liked, pages visited).
Time and duration of your sessions.
Search queries within the app.
Referral sources (e.g., how you arrived at BakkMe, deep links clicked).
In-app navigation patterns and interaction data.
Crash reports, error logs, and performance diagnostics.

2.6 Device Information

We collect information about the device you use to access BakkMe, including:

Device identifiers: Unique device ID, advertising ID (IDFA/GAID), hardware identifiers.
Operating system: OS type (iOS, Android), version, and build number.
Device model: Manufacturer, model name, screen resolution.
Network information: IP address, mobile carrier, connection type (Wi-Fi, cellular), signal strength.
Browser information: Browser type and version (when accessing web features).
Language and locale settings.

2.7 Location Data

We may collect location information, depending on the permissions you grant:

Precise location: GPS-based location data, collected only when you explicitly grant location permission. Used for features such as nearby content discovery and location tagging on posts.
Approximate location: Derived from your IP address or network information. This may be used for content localization, regulatory compliance, and fraud prevention.

You can revoke location permissions at any time through your device settings. Disabling location services may limit certain features of the Service.

2.8 Cookies and Similar Technologies

We and our partners use cookies, local storage, pixels, SDKs, and similar technologies to:

Authenticate your session and remember your preferences.
Analyze usage patterns and improve the Service.
Deliver and measure the effectiveness of advertising.
Prevent fraud and enhance security.

Within the mobile application, we use SDKs and device-level storage mechanisms that function similarly to cookies. You can manage your preferences through your device settings and the privacy controls within the BakkMe app.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

Create, maintain, and secure your account.
Enable social features including posting, sharing, messaging, and live streaming.
Process financial transactions, including wallet top-ups, peer-to-peer payments, donations, and creator payouts via Stripe.
Facilitate fundraising campaigns and charitable donations.
Enable real-time communication through chat, voice messages, video calls, and live streaming (via Janus WebRTC).
Manage groups, communities, and related features.
Deliver content shared via deep links and share features.

3.2 Personalization

Customize your feed and content recommendations based on your interests and interactions.
Suggest connections, groups, and fundraisers that may be relevant to you.
Tailor the user interface and experience to your preferences.

3.3 Communication

Send push notifications via Firebase Cloud Messaging (FCM) about activity on your account, new messages, and other relevant updates.
Send email notifications about account activity, security alerts, and Service updates.
Send marketing communications (with your consent where required by law).
Respond to your support requests and inquiries.

3.4 Safety, Security, and Compliance

Detect, prevent, and address fraud, abuse, security incidents, and other harmful activity.
Verify user identities for KYC/AML compliance.
Enforce our Terms of Service and Community Guidelines.
Comply with applicable legal obligations, including responding to lawful requests from authorities.
Protect the rights, property, and safety of BakkMe, our users, and the public.

3.5 Analytics and Improvement

Analyze usage patterns and trends to understand how our Service is used.
Measure the performance and effectiveness of features.
Conduct research and development to improve the Service.
Debug and troubleshoot technical issues.

3.6 Advertising

Display relevant advertisements through Google AdMob and other advertising partners.
Measure the effectiveness and reach of ad campaigns.
Provide aggregated analytics to advertisers (without sharing personally identifiable information).

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under the General Data Protection Regulation (GDPR):

Legal Basis	Processing Activities
Contractual Necessity	Account creation and management; providing core Service features (posts, messaging, payments, fundraising, live streaming, groups); processing transactions; delivering content and notifications essential to the Service.
Consent	Marketing communications; precise location data collection; displaying personalized advertisements; processing special categories of data (where applicable); use of non-essential cookies and tracking technologies.
Legitimate Interests	Improving and personalizing the Service; analytics and usage measurement; fraud prevention and platform security; enforcing our terms and policies; providing customer support; conducting research and development.
Legal Obligation	KYC/AML identity verification; tax reporting obligations; responding to lawful legal requests; complying with financial regulations; data retention required by law.
Vital Interests	In rare circumstances, to protect the vital interests of you or another person (e.g., emergency situations).

Where we rely on consent as the legal basis, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

5. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

5.1 Service Providers

We engage trusted third-party companies and service providers to perform functions on our behalf, including:

Stripe: Payment processing, wallet management, peer-to-peer transfers, donor payments, and creator payouts. Stripe processes your financial data under its own privacy policy.
Google Firebase: Cloud Messaging (push notifications), Firebase Storage (media storage), analytics, crash reporting, and authentication services.
Amazon Web Services (AWS): Cloud hosting, data storage, content delivery, and computing infrastructure.
Google AdMob: Advertisement delivery and ad performance measurement.
Identity verification providers: KYC/AML verification services for regulatory compliance.
Email service providers: Transactional and marketing email delivery.
Analytics providers: Usage analytics, performance monitoring, and crash reporting.

All service providers are contractually obligated to process your data only as instructed by us and in accordance with applicable data protection laws. Where required, we enter into Data Processing Agreements (DPAs) with our processors.

5.2 Other Users

Certain information is shared with other users as part of the Service's social features:

Your public profile information (name, username, profile photo, bio) is visible to other users.
Content you post publicly (posts, stories, comments) is visible to your followers and potentially all users, depending on your privacy settings.
Fundraiser campaigns you create are visible to donors and the public.
When you send messages, the recipients can see the content of those messages.
Your activity within groups is visible to other group members.

5.3 Law Enforcement and Legal Requirements

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:

Comply with applicable law, regulation, legal process, or enforceable governmental request.
Enforce our Terms of Service and other agreements, including investigation of potential violations.
Detect, prevent, or otherwise address fraud, security, or technical issues.
Protect against harm to the rights, property, or safety of BakkMe, our users, or the public as required or permitted by law.

5.4 Business Transfers

If BakkMe is involved in a merger, acquisition, reorganization, bankruptcy, asset sale, or similar business transaction, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice within the Service before your personal information becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5.6 Aggregated and De-identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you with third parties for research, marketing, analytics, and other purposes.

6. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account information	Duration of your account plus 30 days after deletion request, unless extended retention is legally required.
Profile information	Duration of your account. Deleted upon account deletion.
KYC/Verification documents	As required by applicable KYC/AML laws, typically 5-7 years after the business relationship ends.
Transaction records	As required by financial regulations and tax laws, typically 7 years.
User-generated content	Duration of your account or until you delete the content, whichever comes first.
Messages	Duration of the conversation or until deleted by the user. Backup copies may persist for up to 90 days after deletion.
Usage and device data	Up to 26 months from collection, then aggregated or deleted.
Location data	Up to 12 months, then aggregated or deleted.
Support communications	Up to 3 years after resolution for quality assurance and legal purposes.

When your data is no longer needed, we will securely delete or anonymize it. In some cases, we may retain certain information in an anonymized or aggregated form that can no longer be associated with you.

7. Your Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal information. We are committed to helping you exercise these rights.

7.1 Rights for EU/EEA/UK Users (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:

Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data we must retain for legal compliance).
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority.

7.2 Rights for California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting the information, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information. BakkMe does not sell your personal information. To the extent that targeted advertising constitutes "sharing" under the CCPA, you may opt out through the privacy settings in the app.
Right to Limit Use of Sensitive Personal Information: You have the right to limit our use and disclosure of your sensitive personal information to purposes that are necessary to provide the Service.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

California "Shine the Light" Law: California residents may also request information regarding the disclosure of personal information to third parties for their direct marketing purposes. BakkMe does not disclose personal information to third parties for their own direct marketing purposes.

7.3 How to Exercise Your Rights

You can exercise your rights by:

Using the in-app privacy settings and account management tools.
Emailing us at privacy@bakkme.com.
Contacting our Data Protection Officer at dpo@bakkme.com.

We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. If we are unable to fulfil your request, we will explain the reasons.

7.4 Opt-Out of Marketing Communications

You can opt out of receiving marketing emails by clicking the "unsubscribe" link in any marketing email or by adjusting your notification preferences in the app settings. Please note that even if you opt out of marketing communications, we may still send you transactional or service-related messages (e.g., account security alerts, payment confirmations).

7.5 Managing Device Permissions

You can manage app permissions (camera, microphone, location, contacts, storage, notifications) through your device's operating system settings at any time. Revoking certain permissions may affect the functionality of specific features.

8. International Data Transfers

BakkMe operates globally, and your personal information may be transferred to, stored in, and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

When we transfer personal data from the EEA, UK, or Switzerland to countries that do not provide an adequate level of data protection as determined by the European Commission, we rely on appropriate safeguards, including:

Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses for transfers of personal data to countries without an adequacy decision.
Adequacy Decisions: Where available, we rely on adequacy decisions issued by the European Commission or the UK Secretary of State.
Data Privacy Framework: Where applicable, we may rely on certifications under the EU-U.S. Data Privacy Framework, the UK Extension, and the Swiss-U.S. Data Privacy Framework.
Supplementary Measures: We implement additional technical and organizational measures to ensure data protection during transfers, including encryption in transit and at rest.

You may request a copy of the safeguards we use for international transfers by contacting us at dpo@bakkme.com.

9. Children's Privacy

BakkMe is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. Our Service requires users to be at least 13 years of age (or the minimum age required by applicable law in your jurisdiction, whichever is higher) to create an account.

In jurisdictions where the GDPR applies, we require users to be at least 16 years of age (or the age specified by the applicable EU Member State, which may range from 13 to 16) to consent to the processing of their personal data. Where a user is below the applicable age threshold, we require verifiable parental or guardian consent.

COPPA Compliance: In compliance with the Children's Online Privacy Protection Act (COPPA), if we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will take immediate steps to delete that information from our records. If you believe a child under 13 has provided us with personal information, please contact us immediately at privacy@bakkme.com.

We implement age-gating measures during the registration process and reserve the right to terminate accounts where the user is found to be below the minimum age requirement.

10. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, destruction, or loss. Our security measures include:

Encryption: Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption or equivalent industry-standard encryption.
Payment security: All payment data is handled by Stripe in a PCI DSS Level 1-compliant environment. BakkMe does not store full card numbers on its servers.
Access controls: Strict role-based access controls (RBAC) limit employee access to personal data on a need-to-know basis.
Authentication: We support secure authentication mechanisms and encourage users to use strong, unique passwords.
Infrastructure security: Our servers are hosted on secure cloud infrastructure (AWS) with firewalls, intrusion detection systems, and regular security audits.
Monitoring: Continuous monitoring and logging of access to personal data and system events.
Incident response: We maintain a data breach incident response plan and will notify affected users and relevant authorities as required by applicable law in the event of a data breach.
Employee training: Regular data protection and security awareness training for all staff with access to personal data.
Vendor assessments: Regular security assessments of third-party service providers who handle personal data.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining commercially reasonable safeguards appropriate to the sensitivity of the data we process.

11. Third-Party Links and Services

BakkMe may contain links to third-party websites, apps, or services that are not operated by us. These may include:

External websites linked within user-generated content (posts, messages, fundraiser descriptions).
Third-party social media platforms for sharing content.
Payment provider interfaces (e.g., Stripe checkout).
App stores and external download links.
Advertiser websites accessed through ads displayed in the app.

When you interact with these third-party services, their own privacy policies and terms of service apply. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly encourage you to review the privacy policies of any third-party service you access through BakkMe.

The inclusion of a link or integration does not imply endorsement by BakkMe of the linked site or service.

12. Advertising

BakkMe displays advertisements to support the Service. We work with the following advertising partners:

12.1 Google AdMob

We use Google AdMob to serve advertisements within the BakkMe app. AdMob may collect and use certain data to provide personalized ads, including:

Device identifiers (advertising ID).
IP address and approximate location.
App usage data and interaction with ads.
Device information (model, OS version).

Google AdMob's use of data is governed by Google's Privacy Policy. You can manage your ad personalization preferences through your device settings:

Android: Settings > Google > Ads > Opt out of Ads Personalization.
iOS: Settings > Privacy & Security > Tracking > Disable "Allow Apps to Request to Track."

12.2 Facebook Audience Network

We may use Facebook Audience Network to serve advertisements. Facebook may collect data for ad targeting purposes as described in Meta's Privacy Policy. You can manage ad preferences through your Facebook account settings and through your device's advertising ID settings.

12.3 Your Ad Choices

You can control personalized advertising through:

Your device's advertising ID settings (reset or limit ad tracking).
In-app privacy settings within BakkMe.
Industry opt-out tools such as the Network Advertising Initiative (NAI) and Digital Advertising Alliance (DAA) opt-out pages.

Please note that opting out of personalized advertising does not mean you will stop seeing ads; rather, the ads may be less relevant to your interests.

13. Push Notifications

BakkMe uses Firebase Cloud Messaging (FCM) to deliver push notifications to your device. Push notifications may include:

New messages and chat notifications.
Social activity alerts (likes, comments, follows, mentions).
Fundraiser updates and donation notifications.
Payment and transaction confirmations.
Group and community activity updates.
Live stream notifications.
Security alerts (e.g., new device login, password changes).
Promotional and marketing notifications (with your consent).

Managing Push Notifications

You can manage your push notification preferences in the following ways:

In-app settings: Navigate to Settings > Notifications to customize which types of notifications you receive.
Device settings: Disable push notifications for BakkMe entirely through your device's notification settings.

To deliver push notifications, we store a device token (FCM registration token) associated with your account. This token is refreshed periodically and deleted when you log out or uninstall the app.

Please note that disabling push notifications may cause you to miss important messages, security alerts, and transaction updates.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

Update the "Effective Date" at the top of this policy.
Post the revised policy within the BakkMe app and on our website.
Notify you via in-app notification, push notification, or email (for material changes that significantly affect how we process your data).
Where required by law, obtain your consent before implementing changes that require consent.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after the revised policy becomes effective constitutes your acknowledgment of the updated terms. If you do not agree with the revised policy, you should discontinue use of the Service and delete your account.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

General Privacy Inquiries

Email: privacy@bakkme.com

Data Protection Officer (DPO)

Email: dpo@bakkme.com

For GDPR-related requests, data subject access requests, and data protection inquiries.

Customer Support

Email: support@bakkme.com

For general support, account issues, and feature-related questions.

We aim to respond to all inquiries within 30 days. For data subject access requests under the GDPR, we will respond within one month, with the possibility of a two-month extension for complex requests (in which case we will inform you of the extension and the reasons for the delay).

If you are located in the EEA or UK and believe that we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu.